arXiv: 1504.03561 v2 [cs.CR] 14 Sep 2015 


On the Workflow Satisflability Problem with 
Class-Independent Constraints 

Jason Crampton, Andrei Gagarin, Gregory Gutin, Mark Jones, 

Magnus Wahlstrom 

Royal Holloway, University of London, Egham, Surrey, TW20 OEX, UK 

September 15, 2015 


Abstract 

A workflow speciflcation deflnes sets of steps and users. An authorization policy determines 
for each user a subset of steps the user is allowed to perform. Other security requirements, such 
as separation-of-duty, impose constraints on which subsets of users may perform certain subsets 
of steps. The workflow satisfiability problem (WSP) is the problem of determining whether 
there exists an assignment of users to workflow steps that satisfies all such authorizations and 
constraints. An algorithm for solving WSP is important, both as a static analysis tool for 
workflow specifications, and for the construction of run-time reference monitors for workflow 
management systems. Given the computational difficulty of WSP, it is important, particularly 
for the second application, that such algorithms are as efficient as possible. 

We introduce class-independent constraints, enabling us to model scenarios where the set 
of users is partitioned into groups, and the identities of the user groups are irrelevant to the 
satisfaction of the constraint. We prove that solving WSP is fixed-parameter tractable (FPT) 
for this class of constraints and develop an FPT algorithm that is useful in practice. We compare 
the performance of the FPT algorithm with that of SAT4J (a pseudo-Boolean SAT solver) in 
computational experiments, which show that our algorithm significantly outperforms SAT4J 
for many instances of WSP. User-independent constraints, a large class of constraints including 
many practical ones, are a special case of class-independent constraints for which WSP was 
proved to be FPT (Cohen et al., J. Artif. Intel. Res. 2014). Thus our results considerably 
extend our knowledge of the fixed-parameter tractability of WSP. 


1 Introduction 

It is increasingly common for organizations to computerize their business and management processes. 
The co-ordination of the tasks or steps that comprise a computerized business process is managed by 
a workflow management system (or business process management system). Typically, the execution 
of these steps will be triggered by a human user, or a software agent acting under the control 
of a human user, and each step may only be executed by an authorized user. Thus a workflow 
specification will include an authorization policy defining which users are authorized to perform 
which steps. 

In addition, many workflows require controls on the users that perform certain sets of steps [TJ 
iniHiin]- Consider a simple purchase-order system in which there are four steps: raise-order 
(si), acknowledge-receipt-of-goods (52), raise-invoice (53), and send-payment (54). The workflow 
specification for the purchase-order system includes rules to prevent fraudulent use of the system, 
the rules taking the form of constraints on users that can perform pairs of steps in the workflow: the 
same user may not raise the invoice (33) and sign for the goods (S2), for example. Such a constraint 
is known as a user-independent (UI) constraint, since the specific identities of the users that perform 
these steps are not important, only the relationship between them (in this example, the identities 
must be different). 

Once we introduce constraints on the execution of workflow steps, it may be impossible to find 
a valid plan - an assignment of authorized users to workflow steps such that all constraints are 
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satisfied. The Workflow Satisfiability Problem (WSP) takes a workflow specification as 
input and outputs a valid plan if one exists. WSP is known to be NP-hard, even when the set of 
constraints only includes constraints having a relatively simple structure (and arising regularly in 
practice). In particular, the Graph fc-COLORABiLiTY problem can be reduced to a special case of 
WSP in which the workflow specification only includes separation-of-duty constraints |17j . Clearly, 
it is important to be able to determine whether a workflow specification is satisfiable at design 
time. Equally, when users select steps to execute in a workflow instance, it is essential that the 
access control mechanism can determine whether (a) the user is authorized, (b) allowing the user to 
execute the step would render the instance unsatisfiable. Thus, the access control mechanism must 
incorporate an algorithm to solve WSP, and that algorithm needs to be as efficient as possible. 

Wang and Li m observed that, in practice, the number k of steps in a workflow will be small, 
relative to the size of the input to WSP; specifically, the number of users is likely to be an order of 
magnitude greater than the number of steps. This observation led them to set k as the parameter 
and to study the problem using tools from parameterized complexity. In doing so, they proved that 
the problem is fixed-parameter tractable (FPT) for simple classes of constraints. However, Wang 
and Li also showed that for many types of constraints the problem is fixed-parameter intraetable 
(unless FPT W[l] is false). Hence, it is important to be able to identify those types of practical 
constraints for which WSP is FPT. 

Recent research has made significant progress in understanding the fixed-parameter tractability 
of WSP. In particular, Cohen et al. [6] introduced the notion of patterns and, using it, proved that 
WSP is FPT (irrespective of the authorization policy) if all constraints in the specification are UI. 
This result is significant because most constraints in the literature - including separation-of-duty, 
cardinality and counting constraints - are UI . Using a modified pattern approach, Karapetyan et 
al. na provided both a short proof that WSP with only UI constraints is FPT and a very efficient 
algorithm for WSP with UI constraints. 

However, it is known that not all constraints that may be useful in practice are UI. Consider a 
situation where the set of users is partitioned into groups (such as departments or teams) and we 
wish to define constraints on the groups, rather than users. In our purchase order example, suppose 
each user belongs to a specific department. Then it would be reasonable to require that steps si 
and S 2 are performed by different users belonging to the same department. There is little work in 
the literature on constraints of this form, although prior work has recognized that such constraints 
are likely to be important in practice 0113 , and it has been shown that such constraints present 
additional difficulties when incorporated into WSP uni- 

in this paper, we extend the notion of a UI constraint to that of a class-independent (Cl) con¬ 
straint. In particular, every UI constraint is an instance of a Cl constraint. Our second contribution 
is to demonstrate that patterns for UI constraints 0 can be generalized to patterns for Cl con¬ 
straints, as well as to “nested” Cl constraints in several levels. The resulting algorithm, using these 
new patterns, remains FPT (irrespective of the authorization policy), although its running time 
is somewhat slower than that of the algorithm for WSP with UI constraints only. In short, our 
first two contributions identify a large class of constraints for which WSP is shown to be FPT, and 
subsume prior work in this area [ini0in]- Our final contribution is an implementation of our 
algorithm in order to investigate whether the theoretical advantages implied by its fixed-parameter 
tractability can be realized in practice. We compare our FPT algorithm with SAT4J, an off-the-shelf 
pseudo-Boolean (PB) SAT solver. The results of our experiments suggest that our FPT algorithm 
enjoys some significant advantages over SAT4J for hard instances of WSP. 

In the next section, we define WSP and UI constraints in more formal terms, discuss related 
work in more detail, and introduce the notion of class-independent constraints. In Sections [3] and |4j 
we state and prove a number of technical results that underpin the algorithm for solving WSP with 
class-independent constraints. We describe the algorithm and establish its worst-case complexity in 
Section [S] In Section 0 we describe the generalisations to several levels of nested Cl constraints, 
and analyse the resulting running time more carefully. In Section 0 we describe our experimental 
methods and report the results of our experiments. We conclude in Section [8] 

In the main part of the paper, we focus on the case of a single non-trivial partition of the user set. 
The treatment of the case with nested Cl constraints - i.e., multiple nested partitions of the user set 
- is confined to Section 0 (Nested Cl constraints can be used to model hierarchical organizational 
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structures, which can be useful in practice HU].) 


2 Workflow Satisflability 

Let S = {si,..., Sfc} be a set of steps, let U = {ui, ..., Un} be a set of users in a workflow speci¬ 
fication, and let k < n. We are interested in assigning users to steps subject to certain constraints. 
In other words, among the set 11(5', U) of functions from 5 to U, there are some that represent 
“legitimate” assignments of steps to users and some that do not. 

The legitimacy or otherwise of an assignment is determined by the authorization policy and 
the constraints that complete the workflow specification. Let A = {^(u) : u € 17} be a set of 
authorization lists, where A{u) C 5 for each u G U, and let C be a set of (workflow) constraints. 
A constraint c G C may be viewed as a pair (T, 0), where T C 5 is the scope of c and 0 is a set 
of functions from T to U, specifying the assignments of steps in T to users in U that satisfy the 
constraint. In practice, we do not enumerate all the elements of 0. Instead, we define its members 
implicitly using some constraint-specific syntax. In particular, we write {s,s',p), where s,s' G S 
and p is a binary relation defined on U, to denote a constraint that has scope {s, s'} and is satisfied 
by any plan tt : S ^ U such that (7r(s), 7r(s')) G p. Thus (s, s', =f), for example, requires s and s' to 
be performed by different users (and so represents a separation-of-duty constraint). Also (s,s',=) 
states that s and s' must be performed by the same user (a binding-of-duty constraint). 

2.1 The Workflow Satisflability Problem 

A plan is a function in 11(5, C/). Given a workflow W = {S,U,A,C), a plan tt is authorized if for 
all s € 5, s G A(7r(s)), i.e. the user assigned to s is authorized for s. A plan tt is eligible if for all 
(T, 0) G C, ttIt G 0, i.e. every constraint is satisfied. A plan tt is valid if it is both authorized 
and eligible. In the workflow satisfiability problem (WSP), we are given a workflow (specihcation) 
W, and our aim is to decide whether W has a valid plan. If W has a valid plan, W is satisfiable; 
otherwise, W is unsatisfiable. 

Note that WSP is, in fact, the conservative CSP (i.e., CSP with unary constraints corresponding 
to step authorizations in the WSP terminology). However, unlike a typical instance of CSP, where 
the number of variables is significantly larger than the number of values, a typical instance of WSP 
has many more values (i.e., users) than variables (i.e., steps). 

We assume that in all instances of WSP we consider, all constraints can be checked in time 
polynomial in n. Thus it takes polynomial time to check whether any plan is eligible. The correctness 
of our algorithm is unaffected by this assumption, but using constraints not checkable in polynomial 
time would naturally affect the running time. 

Example 1. Consider the following instance W' of WSP. The step and user sets are 5 = 
{si, S 2 , S 3 , S 4 } and U = {iti, M 2 , U 3 , M 4 , U 5 }. The authorization lists are A{ui) = {si, S 2 , S 3 , S 4 }, 
A{u 2 ) = {si}, A{uf) = {S 2 }, A(m 4 ) = A{uf) = {s 3 ,S 4 }. The constraints are (si,S 2 ,=), (s 2 ,S 3 ,y^), 
(s 3 ,S 4 ,y^), and ( 54 , si,^). Observe that tt' : S ^ U with 7 r'(si) = 7 r'(s 2 ) = mi, 7 r'(s 3 ) = M 5 and 
7 r'(s 4 ) = U 4 satisfies all constraints and authorizations, and thus tt' is a valid plan for IT'. Therefore, 
W is satisfiable. 

2.2 Constraints nsing Eqnivalence Relations 

Crampton et al. introduced constraints defined in terms of an equivalence relation ~ on C7: a 
plan TT satisfies constraint (s, s', ~) if 7r(s) ^ 7r(s') (and satisfies constraint (s, s', o^) if 7r(s) 7r(s')). 

Hence, we could, for example, specify the pair of constraints (s,s',y^) and (s,s',^), which, collec¬ 
tively, require that s and s' are performed by different users that belong to the same equivalence class. 
As we noted in the introduction, such constraints are very natural in the context of organizations 
that partition the set of users into departments, groups or teams. 

Moreover, Crampton et al. HU] demonstrated that “nested” equivalence relations can be used 
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to model hierarchical structures within an organizatioi|3 and to define constraints on workflow 
execution with respect to those structures. More formally, an equivalence relation ^ is said to 
be a refinement of an equivalence relation r; if a; ~ y implies x Ki y. In particular, given an 
equivalence relation ^, = is a refinement of Crampton et al. proved that WSP remains FPT 
when some simple extensions of constraints and {s,s',oo) are included | 10 L Theorem 5 . 4 ]. 

Our extension of constraints (s, s', and (s, s', oo) is much more general: it is similar to generalizing 
simple constraints (s, s', =) and (s, s', 7^) to the wide class of UI constraints. This leads, in particular, 
to a significant generalization of Theorem 5.4 in m- 

Let c = (r, 0 ) be a constraint and let ~ be an equivalence relation on U. Let C/'" denote the 
set of equivalence classes induced by ~ and let u'" G C/'" denote the equivalence class containing u. 
Then, for any function n : S ^ U, we may define the function : S —>■ U'^ , where 7r'^(s) = (7r(s))'^. 
In particular, ~ induces a set of functions 0 '^ = { 0 '^: 0 G 0 }. 

Example 2 . Continuing from Example [U suppose 17 consists of two equivalence classes Ui = 
{ui,U2,U5} and U2 = {u^,U4}. Let us add to W another constraint (si,S4,^) (si and S4 must be 
assigned users from the same equivalence class) to form a new instance W” of WSP. Then plan tt' 
does not satisfy the added constraint and so tt' is not valid for W". However, tt" : S U with 
7 r"(si) = 7 r"(s 2 ) = Ml, 7r"(s3) = M4 and 7r"(s4) = 1x5 satisfies all constraints and authorizations, and 
thus tt" is valid for IT". Here (7r")'"(si) = (7r")""(s2) = (7r")'^(s4) = Ui and (7r")'^(s3) = C/2. 

Given an equivalence relation ^ on U, we say that a constraint c = (T, 0 ) is class-independent 
(Cl) for ^ a 9 ^ € implies 0 € 0 , and for any permutation f : C/'^ —>• C/'^, 0 '^ G 0 ^^ implies 
(/) o G 0 '^. In other words, if a plan tt : s 1—^ 7r(s) satisfies a constraint c, which is class- 
independent for then for each permutation </> of classes in t/'^, if we replace 7 r(s) by any user in 
the class 4 >{tt{s)'^) for every step s, then the new plan will satisfy c. 

We say a constraint is user-independent (UI) if it is Cl for =. In other words, if a plan tt : s 1—^ 
7r(s) satisfies a UI constraint c and we replace any user in {7r(s) : s G by an arbitrary user such 
that the replacement users are all distinct, then the new plan satisfies c. 

We conclude this section with a claim whose simple proof is omitted. 

Proposition 1 . Given two equivalence relations ~ and « such that ^ is a refinement of ss, and 
any plan tt : S' —>■ C/, 7r'^(s) = 7r'^(s') implies 7r~(s) = 7r~(s'). 

3 Plans and Patterns 

In what follows, unless specified otherwise, we will consider the equivalence relation = along with 
another fixed equivalence relation We will write [m\ to denote the set {I,..., m} for any integer 
m ^ I. For brevity and simplicity of presentation, we assume for now that all constraints are either 
UI or GI for ^ (i.e., we consider only two equivalence relations = and ^); we will refer to constraints 
that are Cl for ^ as simply CL In Section |6l we generalise our results to any sequence ~i,..., ^; of 
equivalence relations such that ^i+i is a refinement of for all * G — I]. It is important to keep 
in mind that we put no restrictions on authorizations. 

We will represent groups of plans as patterns. The intuition is that a pattern defines a partition 
of the set of steps relevant to a set of constraints. For instance, suppose that we only have UI 
constraints. Then a pattern specifies which sets of steps are to be assigned to the same user. A 
pattern assigns an integer to each step and those steps that are labelled by the same integer will be 
mapped to the same user. A pattern p defines an equivalence relation on the set of steps (where 
s s' if and only if s and s' are assigned the same label). Moreover, this pattern can be used to 
define a plan by mapping each of the equivalence classes induced by ^p to a different user. Since we 
only consider UI constraints, the identities of the users are irrelevant (provided they are distinct). 
Conversely, any plan tt : S ^ U defines a pattern: s and s' are labelled with the same integer if 
and only if 7r(s) = 7r(s'). And if tt satisfies a UI constraint c, then any other plan with the same 
pattern will also satisfy c. We can extend this notion of a pattern to Cl constraints where entries 
in the pattern encode equivalence classes of users instead of single users. 

^Many organizations exhibit nested hierarchical structure. For example, the academic parts of many universities 
are divided into faculties/schools which are divided into departments. 
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More formally, let W = {S, U,A,C = C=UCr^) be a workflow, where C= is a set of UI constraints 
and is a set of Cl constraints. Let p= = (xi,..., Xk) where Xi G [k] for all i G [k]. We say that 
is a Ul-pattern for a plan n ii Xi = xj 7r(si) = 7r(sj), for all i,j G [A:], and p= is eligible for 
C= if any plan tt with p^ as its Ul-pattern is eligible for C=. 

In Example [21 C= = {(si, S 2 , =), (s 2 , S 3 , 7 ^), (ss, S 4 , (si, S 4 , 7 ^)} and C,,. = {(si, S 4 ,'^)}- Tu¬ 
ples (1,1, 2, 3 ) and (2, 2,4, 3 ) are Ul-patterns for plan tt" of Example |21 

Proposition 2. Let p= be a Ul-pattern for a plan tt. Then p^ is eligible for C= if and only if tt is 
eligible for C=. 

Proof. Suppose that tt is eligible for C=. We show that ttq is eligible for C=, for any plan ttq that 
has as its Ul-pattern, and so is eligible for C=. 

Let p= = {xi,... ^Xk). Observe that for any Si,Sj, we have 7r(si) = 7r(sj) 4=> Xi = Xj 4=> 
7'‘o(sz) = 7ro(sj). Then define a permutation <f) : U U as follows: (/>(«) = 7ro(si) if there exists 
Si G S such that 7r(si) = u, and (j){u) = u otherwise. As 7ro(si) = 7ro(sj) for any Si,Sj such that 
7r(si) = 7r(sj) = u, (j) is well-defined. Furthermore ttq = (f o tt. Then it follows from the definition of 
a user-independent constraint that for any c = (T, 0) G C=, tt\t € 0 O ttoIt € ©■ It follows that 
as TT satisfies every constraint in C=, ttq satisfies every constraint in C= and so ttq is eligible for C=, 
as required. 

For the converse, it follows by definition that if p= is eligible for C= then tt is eligible for C=. □ 

Let pr.^ = ( 2 / 1 ,..., ?/fc), where pi G [fc] for all i G [k]. We say that pr.^ is a Cl-pattern for a plan tt 
if Di = Uj 4^ TT'^(si) = TT'^(sj), for all i,j G [fc], and p^., is eligible for Cr.^ if any plan tt with pr^ as its 
Cl-pattern is eligible for Cr^. For example, (1,1, 2,1) and (2,2,4, 2) are Cl-patterns for plan tt" of 
Example 121 The next result is a generalization of Proposition |21 

Proposition 3. Let p,^ be a Cl-pattern for a plan tt. Then is eligible for if and only if tt is 
eligible for C^. 

Proof. Suppose that tt is eligible for We show that ttq is eligible for for any plan ttq that 
has pr^ as its Cl-pattern, and so is eligible for Cr^. 

Let pr^ = ( 2 / 1 ,..., pfc). Observe that for any Si,Sj, we have TT'^{si) = TT'^(sj) 4=> pi = yj 4=> 
^cr('Sj) = ^cr('S 4 )- Then define a permutation f) : [/'^ ^ t/'^ as follows: (j){u'^) = TTlf(si) if there 
exists Si G S such that 7r'^(si) = u'^, and 4){u'^) = otherwise. As TT'^{si) = 7r'^(sj) for any Si,Sj 
such that 7r'^(si) = 7r'^(sj) = (f) is well-defined. Furthermore ttq = cfo tt'^. 

Then it follows from the definition of a class-independent constraint that for any c = (T, 0) G 
tt\t S 0 G O'" 4 => ^ o (tt'^It) € O'" 4=> 7r(('|7' G O'" ttqIt € 0. It follows that as tt satisfies 

every constraint in ttq satisfies every constraint in Cr^ and so ttq is eligible for C^, as required. 
For the converse, it follows by definition that if p.^ is eligible for Cr^ then tt is eligible for Cr^. □ 

Now let p = {p=,prJ) be a pair containing a Ul-pattern and an Cl-pattern. Then we call p a 
(UI, CI)-pattern. We say that p is a (UI, CI)-pattern for tt if p= is a Ul-pattern for tt and p.^ is a 
Cl-pattern for tt. We say that p is eligible for C = C= if p= is eligible for C= and p.^ is eligible 
for Cr.^. The following two results follow immediately from Propositions |2] and [ 3 ] and definitions of 
UI- and Cl-patterns. 

Lemma 1. Let p = {p=,prU) be a (UI, Cl)-pattern for a plan tt . Then p is eligible for C = C=\JCr^ 
if and only if tt is eligible for C. 

Proposition 4. There is a (UI, CI)-pattern p for every plan tt. 

We say a (UI, CI)-pattern p is realizable if there exists a plan tt such that tt is authorized and 
p is a (UI, CI)-pattern for tt. Given the above results, in order to solve a WSP instance with user- 
and class-independent constraints, it is enough to decide whether there exists a (UI, CI)-pattern p 
such that (i) p is realizable, and (ii) p is eligible (and hence tt is eligible) for C = C= U . 

We will enumerate all possible (UI, CI)-patterns, and for each one check whether the two con¬ 
ditions hold. We defer the explanation of how to determine whether p is realizable until Sec. S] 
We now show it is possible to check whether a (UI, CI)-pattern p = {p=,pA) is eligible in time 
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polynomial in the input size N. Indeed, in polynomial time, we can construct plans and with 
patterns and respectively, where Tr={si) = ^^{sj) if and only if Xi = Xj and 7r^(si) TT^{sj) 
if and only if yi = yj. (In particular, we can select a representative user from each equivalence 
class in By Lemma [T] and Propositions [ 2 ] and | 3 l p is eligible if and only if both 7r= and 

are eligible. By our assumption before Example [TJ eligibility of both tt^ and can be checked in 
polynomial timeU Note, however, that 7r= and may be different plans, so this simple check for 
eligibility does not give us a check for realizability of p. 

4 Checking Realizability 

A partial plan tt is a function from a subset T of S' to U. In particular, a plan is a partial plan. 
To avoid confusion with partial plans, sometimes we will call plans complete plans. We can easily 
extend the definitions of eligible, authorized and valid plans to partial plans: the only difference is 
that we only consider authorizations for steps in T and constraints with scope being a subset of T. 

We also define partial patterns. For a UI or Cl-pattern q = {xi ,..., Xk) and a subset T C S, let 
the pattern q\T = {zi ,..., Zk), where z, = Xi if Si S T, and Zi = 0 otherwise. We say that p\t is a 
(UI, CI)-pattern for a partial plan ir : T ^ U ii p\t with all coordinates with 0 values removed is a 
(UI, CI)-pattern for tt. We therefore have that if p is a (UI, CI)-pattern for a plan tt, then p\t is a 
(UI, CI)-pattern for tt restricted to T. 

Let p = (p= = (a:i ,... ,Xk),Pr., = (j/i,..., y^)) be a (UI, CI)-pattern. We say that p is consistent 
if Xi = Xj ^ yi = yj for all i,j G [/c]. Recall that if p is the (UI, CI)-pattern for tt, then 
Xi = Xj ^ 7r(si) = 7 T(sj), and yi = yj 7 r'^(si) = 7 r'^(sj). Thus Proposition [T] implies that if 
p is the (UI, CI)-pattern for any plan then p is consistent. Henceforth, we will only consider (UI, 
CI)-patterns that are consistent. 

Given a (UI, CI)-pattern (p=,p..S), we must determine whether this (UI, CI)-pattern can be 
realized, given the authorization lists defined on users. The patterns p= and pr^ define two sets 
of equivalence classes on S': Si and Sj are in the same equivalence class of S defined by p= {p..^, 
respectively) if and only if Xi = Xj {yi = yj, respectively). 

Moreover each equivalence class induced by pr., is partitioned by equivalence classes induced 
by p=. We must determine whether there exists a plan tt : S —>■ U that simultaneously (i) has 
Ul-pattern (ii) has Cl-pattern and (iii) assigns an authorized user to each step. Informally, 
our algorithm for checking realizability computes two things. 

• For each pair (T, V), where T C S is an equivalence class induced by pr^ and U C U is an 
equivalence class induced by whether there exists an injective mapping from the equivalence 
classes in T induced by p= to authorized users in V. We call such a mapping a second-level 
mapping. 

• Whether there exists an injective mapping / from the set of equivalence classes induced by 
p.^ to the set of equivalence classes induced by ^ such that f{T) = V only if there exists a 
second-level mapping from T to V. We call / a top-level mapping. 

If a top-level mapping exists, then, by construction, it can be “deconstructed” into authorized par¬ 
tial plans defined by second-level mappings. We compute top- and second-level mappings using 
matchings in bipartite graphs, as described below. 

The Top-level Bipartite Graph. The Ul-pattern p= = {xi,... ,Xk) induces an equivalence 
relation on S = {si,...,Sfe}, where Si and Sj are equivalent if and only if Xi = Xk. Let S = 
{Si,..., Si} be the set of equivalence classes of S under this relation. Similarly, the Cl-pattern 
Pr^ = (yi, ■ • ■ yUk) induces an equivalence relation on S, where Si,Sj are equivalent if and only if 
yi = yj. Let T = {Ti,..., Tm} be the equivalence classes under this relation. Observe that since p 
is consistent, we have k > I > m and for any Si, Tj, either Si C Tj or Si ClTj = 0 . 

^Clearly, it is not hard to check eligibility of_p without explicitly constructing n— and tt.^, as is done in our 
algorithm implementation, described in Section [tPI 
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Definition 1 . Given a (UI, CI)-pattern p = the top-level bipartite graph Gp is defined 

as follows. Let the partite sets of Gp be 'T and U^. For each € T and class , we have an 
edge between and u'^ if and only if there exists an authorized partial plan iTr '■ Tr —> u'^ such that 
P=\Tr is a Ul-pattern for TTr- 

Lemma 2 . If a (UI, CI)-pattern p = (p=,p^) is realizable, then Gp has a matching covering T■ 

Proof. Let tt be an authorized plan such that p is a (UI, CI)-pattern for tt. As is a Cl-pattern 
for TT, we have that for each £T and all Si, Sj G Tr, 7r"^(si) = 7r'^(sj). Therefore '^{Tr) C for 
some u G U. Let uf be this equivalence class for each T^. As pr^ is a Cl-pattern for tt, we have that 
for all r r' and any Si GTr, sj G Tr', Tr'^(si) ^ Tr'^(sj). It follows that uf ^ uf, for any r r'. 

Let M = {TrUf G E{Gp) : Tr G T}. As uf ^ uf, for any r ^ r' we have that M is a matching 
that covers T. It remains to show that M is a matching of Gp covering T, i.e. that TrUf is an edge 
in Gp for each Tr. For each Tr G T, let tt^ be tt restricted to Tr. Then tt^ is a function from Tr to 
uf. As TT is authorized, tt^ is also authorized. As p= is a Ul-pattern for tt, we have that p=\Tr is a 
Ul-pattern for tt^. Therefore tt^ satisfies all the conditions for there to be an edge TrUf in Gp. □ 

We have shown that for any (UI, CI)-pattern to be realizable, it must be consistent and its 
top-level bipartite graph must have a matching covering T. We will now show that these necessary 
conditions are also sufficient. 

Lemma 3 . Let p = (p= = (xi ,..., Xk),Pr.^ = {yi,..., yu)) be a (UI, CI)-pattern whieh is consistent, 
and such that Gp has a matching covering T. Then p is realizable. 

Proof. Fix a matching M in Gp covering T. For each Tr G T, let uf G U'" be the equivalence class 
of U for which TrUf is an edge in M. Let tt^ be the authorized partial plan -Kr '.Tr ^ uf such that 
P=\Tr is a Ul-pattern for (which must exist as TrUf is an edge in Gp). Let tt = [Jj, ^'j-'i^r- As 
each TTr is authorized, tt is also authorized. It remains to show that p is a (UI, CI)-pattern for tt. 

We first show that p..^ is a Cl-pattern for tt. Consider yi,yj for any i,j G [/c]. If yi = pj, then 
Si, Sj G Tr for some r, so by construction 7r(si), 7r(sj) G uf, and hence 'K^{si) = 7r~(sj). If yi 7^ yj 
then 7r(si) G uf and 7r(sj) G uf,, and as M is a matching, uf 7^ uf,. Therefore 7r""(si) 7^ 7r""(sj). 
We therefore have that p,^ is a Cl-pattern for tt. 

We now show that p= is a Ul-pattern for tt. Consider Xi,Xj for any i,j G [fc]. If Xi = Xj, then as 
p is consistent we also have yi = yj. Therefore Si, Sj G Tr for some r. As tt^ satisfies the conditions 
of the edge TrUf, we have that 7rr(si) = 7rr(sj) and so 7 r(si) = 7r(sj). If Xi 7^ Xj, there are two 
cases to consider. If yi = yj, then again Si,Sj G Tr, and as tt^ satisfies the conditions of the edge 
Truf, TTyisi) 7^ T^yisj) and so 7r(si) 7^ '^(sj). If on the other hand yi 7^ yj, then by construction 
7 r(si) G uf and 7r(sj) G uf, for some r r', and so 7 r(si) 7^ 7'‘(sj). Thus is a Ul-pattern for tt, as 
required. □ 

The Second-level Bipartite Graph. For each (UI, CI)-patternp = {p^,p,U), we need to construct 
the graph Gp and decide whether it has a matching covering T, in order to decide whether p 
is realizable. Given Gp, a maximum matching can be found in polynomial time using standard 
techniques, but constructing Gp itself is non-trivial. For each potential edge TrU'^ in Gp, we need 
to decide whether there exists an authorized partial plan iTr : Tr ^ such that p=\Tr is a UF 
pattern for tt^. We can decide this by constructing another bipartite graph, GTru~- Recall that 
S = {51,..., Si} is a partition of S into equivalence classes, where s,, Sj are equivalent if Xi = Xj, 
and for each Sh G S, either Sh P Tr or Sh liTr = 0 . Define Sr = {Sh ■ Sh Q Tr}. 

Definition 2 . Given a (UI, CI)-pattern p = (p= = [xi,... ,Xk),Pr^ = [yi,... ,yk)), a set Tr G T 
and equivalence class G U'^, the second-level bipartite graph GTru~ is defined as follows: Let 
the partite sets of G be Sr and and for each Sh G Sr and v G , we have an edge between Sh 
and V if and only if v is authorized for all steps in Sh. 

Lemma 4 . Given Tr G T, u'^ G U^, the following conditions are equivalent. 

• There exists an authorized partial plan tt : —>■ u'^ such that p=\Tr is 0, Ul-pattern for tt. 

• GTrU~ has a matching that covers Sr- 
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Algorithm 1: Main 
input : WSP instance W = (S', U, A, C) 
output : UNSAT or SAT 

1 p= = 0 ^; 

2 pr^ = 0 ^; 

3 return PatBackTrack{W,p=,p^); 


Proof. Suppose first that there exists an authorized partial plan n : Tr such that p=\Tr 

is a UTpattern for tt. For each Sh G Sr and any Si^Sj G S/j, we have that Xi = xj and so 
Tr{si) = 7r(sj). So let Vh be the user in u'^ such that 7r(s) = Vh for all s G Sh- As tt is authorized, 
clearly Vh is authorized for all s G Sh, and so ShVh is an edge in Gt^u-- Furthermore for any 
Si G Sh, Sj G Sh', h h', we have that Xi yf: Xj and so 7 r(si) 7 r(sj) (as p=\Tr is a UTpattern for tt). 
Therefore M = {ShVh : S^ G S^} is a matching in Gt^u- that covers Sr, as required. 

Conversely, suppose that Gxru- has a matching M that covers Sr- For each Sh G Sr, let Vh be 
the user matched to Sh in M. Let tt : T^. — be the partial plan such that 7r(s) = Vh s G Sh- 
As Vh Vh' for any Sh 7^ Sh', and Xi = Xj if and only if Si,Sj are in the same Sh, we have that 
7r(si) = 7r(sj) if and only if Xi = Xj, and so p=\Tr is a UTpattern for tt. Furthermore, as Vh is 
authorized for all s G 5 ’;^, tt is authorized, as required. □ 


5 FPT Algorithm 


Algorithm 2: PatBackTrack(VF,p^,p^) 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 


input : WSP instance W = ( 5 , U, A, C), partial patterns 
Pr^ = {yi,---,yk) 
output : UNSAT or SAT 
if p= is complete and pr.^ is complete theu 
I returu Realizable{W,p)-, 
else 

if is incomplete theu 
Choose i such that = 0 ; 

for each a G {!,..., max{a;j : 1 < j < fc} + 1} do 
Xi = a; 

if 3 m authorized for all Sj such that Xj = a and p= 
if PatBackTrack{W,p=,prJ) returns SAT theu 
|_ Return SAT; 


= {xi,... ,Xk) and 


is eligible theu 


11 

12 

13 

14 

15 

16 

17 

18 


else 

Choose i such that = 0 ; 

for each a G {1,..., max{yj : 1 < j < fc} + 1} do 
for each j such that Xj = Xi do 

L yj = 

if p,^ is eligible theu 

if PatBackTrack{W,p=,prJ) returns SAT theu 
Return SAT; 


19 Return UNSAT; 


Algorithms [T] and [ 2 ] provide a partial pseudo-code of our FPT algorithm (still for the case of a 
single level of CTconstraints). To save space, we do not describe procedure Realizable{W,p), which 
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is a construction of bipartite graphs and search for matchings in those graphs as described in Section 
[31 We also omit a weight heuristic, which is described in Section [T] 

Our algorithm generates (UI, CI)-patterns p in a backtracking manner as follows. It first gen¬ 
erates partial patterns p= = (si, ... where the coordinates Xi = 0 are assigned one by one 
to integers in [/c'], where k' = maxi<j<k{xj} + 1 (see Algorithmic]). The algorithm keeps Xi set 
to a € [k'\ only if there is a user authorized to perform all steps Sj for which Xj = a in p=. The 
algorithm also checks that the pattern p= does not violate any constraints whose scope contain the 
corresponding step Si. 

If an eligible pattern = (xi,... ,Xk) has been completed (i.e., Xj ^ 0 for each j G [fc]), the 
partial patterns pr^ = [y\,... ,yk) are generated as above but with two differences: the algorithm 
ensures the consistency condition and no preliminary authorizations checks are performed (see Al¬ 
gorithm Id) . 

If an eligible (UI, CI)-pattern p has been constructed, a procedure constructing bipartite graphs 
and searching for matchings in them as described in Section | 3 ] decides whether p is realizable. The 
algorithm stops when either a realizable and eligible pattern is found, or all eligible patterns have 
been considered and the WSP instance is declared unsatisfiable. 

The following theorem follows from the more general Theorem [d given in Section Id Note that 
the algorithm we describe above is equivalent to the special case of r = 2 of the general algorithm. 

Theorem 1. We can solve WSP with UI and Cl constraints in 


6 Nested Equivalence Relations 

Suppose we have a series of equivalence relations '^i, ^2, ■ ■ ■, such that each equivalence relation 
is a refinement of the ones preceeding it, and a set of constraints Cr^ for each equivalence relation 
Then we extend our approach as follows^ For each equivalence relation we define a 
pattern p^^^ = (x^,... ,x®), where xf G [k] for all i G [k]. We will also write the pattern pr^^ as 
(p~g(l), • ■ • (''’))■ We say that pr^^ is a ^q-pattern for a plan tt if xf = xj 7r(si) 

for all i,j G [k]. Given a plan tt and a ^q-pattern p^^ for tt for each q G [r], we define the 
tuple p = ■ ■ ■ ,Pr^r) to be a joint pattern for tt. The algorithm now proceeds in a natural 

generalisation of the previously considered case where q = 2 (see below), but in order to analyse 
the running time more carefully we need to note some subtleties in the definitions of patterns and 
partitions. 

6.1 Joint Patterns and Nested Partitions 

Consider nested equivalence relations ~i,..., as above, and an instance of WSP with constraints 
U- • -UCr^^ where for each i G [r], contains constraints that are Cl for We define a joint 
pattern p = {pr^-^, ... to be eligible and realizable in the natural way, extending the definitions 

used previously in this paper. Similarly, p is consistent if xf^^ = ^ xf = xf for all q G [r — 1 ], 

i,j G [k]. 

As previously, it is easy to test in polynomial time whether a joint pattern is eligible, and 
realizability can be tested via a generalisation of the approach described in Section |31 see below. 
Hence, the existence of an FPT algorithm (parameterized jointly by k and r) follows from the 
number of joint patterns being bounded, and from an algorithm for enumerating joint patterns (also 
given below). (The number of (not necessarily consistent) possible joint patterns is clearly 
which would also be the dominating term in a naive analysis of the running time.) 

We briefly note that restricting our attention to consistent joint patterns does not improve this 
bound. To see this, consider a plan tt where all steps are assigned to different ^^-equivalence classes 
on all levels i, i.e., 7r'^i(s) 7^ 7r'^^(s') for all steps s 7^ s'. Then the number of consistent joint 
patterns corresponding to tt is exactly (fc!)'’ = since a different numbering scheme may be 

used at every level of the pattern. 

■^In this paper, all logarithms are of base 2. 

®In reality, r will be quite small and may be considered as a parameter alongside k. 
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For a better bound on the running time, we introduce some more terminology. Recall that a 
partition P is a refinement of a partition V' if they are partitions of the same ground set, and for 
every set S' G 7 ^ there is some set S' G V' such that S C S'. A nested partition (in r levels) of 
a set S is a tuple V = (Pi,... ,'Pr) of partitions of S where Vi+i is a refinement of Vi for each 
i G [r — 1 ]. Thus a nested partition is essentially equivalent to a consistent joint pattern, except 
that no numbering for the partitions has been specified. We find that this has a significant impact 
on their number. 

Theorem 2 . Let S be a set with |S| = k and let r he an integer. The number of nested partitions 
of S in r levels is at most (r + . 

Proof. We will describe nested partitions in terms of edge-labelled trees, such that distinct nested 
partitions yield distinct edge-labelled trees; the bound will follow. 

We construct a tree T on vertex set S bottom-up as follows. To begin, let be an arbitrary 
forest corresponding to the partition Vr, i.e., the partition of S into connected components of is 
exactly the partition Vr- Let every edge of Tr have label r. Note that some components of may 
be edgeless, i.e., consist of only a single step s € S. 

Next, for each i G [r — 1 ] we iteratively define a forest p from p+i by adding new edges to P+i, 
with label i, until Ti corresponds to the partition Vi (in the same sense as previously). Note that 
this is possible since P is a nested partition. Again, the precise choice of edges is arbitrary (subject 
to these specifications). 

Finally, we complete Ti into a tree T by adding edges with label 0 . This yields a tree over S 
with edges labelled by r-|- 1 different labels. By Cayley’s formula, there are k’^~^ distinct trees on S, 
and for each tree there are {r+ 1)^“^ different edge labellings; hence the number of distinct labelled 
trees matches the claimed bound. 

It only remains to show that distinct nested partitions yield distinct labelled trees. This follows 
since the nested partition can be recovered from the labelled tree: by construction, the partition Vi 
corresponds to the forest containing all edges of T with label j > i. 

The result follows. □ 

In the rest of this section, we show how to give an FPT algorithm which enumerates distinct 
nested partitions. (This will be very similar to the results of Sections [SHSl indeed, it is not difficult 
to see that the enumeration strategy shown in Algorithm [ 2 ] meets this requirement.) 

The discussion will focus on consistent joint patterns, since this notion matches the design of 
the algorithm more closely; we will return to the notion of nested partitions when we provide the 
running time bound. 

6.2 Checking Realizability 

Let us discuss how to check realizability of a joint pattern. Note that if p is the joint pattern for 
a plan, then necessarily p is consistent; hence we assume that p = ... ,P~,.) is a consistent 

pattern. 

Rather than defining two layers of bipartite graphs in order to check realizability, we define r 
layers. For notational convenience, let be the trivial equivalence relation for which all users are 
in the same class, and let p..^g be a pattern matching every task to the same label. We assume that 

is the relation = (if ~ r is not the relation =, we need to introduce = as a new relation ^r-i-i 
and proceed with a larger value of r). 

For any q G { 0 ,..., r}, and any label x appearing in Pr^^, let Sf = {si € S : = x). For q < r, 

let Sf be the set of all < 5 '^"'’^ for which C Sf. (Note that as p is consistent, for any labels x,y, 
either C Sf or Ci Sf = 0 .) Let u'"" be an equivalence class with respect to For any 
such equivalence class, (u'"'')'"«+! denotes the set of all equivalence classes of u'"" with respect to 
^q+i, i.e. the set of all classes such that g Then we define a qth-level bipartite 

graph as follows: 

Definition 3 . Given a joint pattern p = {pr.^.^ = {{x \,..., xl),... ,Pr.^^ = (xj^,..., xjf)), an integer 
q G [r], a set SfT^ = {si G S : x 1 ~^ = x} and an equivalenee class G the gth- 

level bipartite graph is defined as follows: Let the vertex set o /be U 
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^ Jbr each S we have an edge between and if and only 

if there exists an authorized partial plan iTq^y : v'^'^ such that Pq'\s^ *5 o, '^qi-pattern for -Kq^y 

for each q' > q. 

Similarly to previous lemmas, we can prove the following result: 

Lemma 5. The following conditions are equivalent: (i) There exists an authorized partial plan 
TTq^y : v'^'> such that Pq'\s^ is a ^qi-pattern for TTq^y for each q' > q; and (ii) Gs9^~q has a 

matching covering S^. 

Observe that (assuming is the relation =) if g = r, then z;'"'* = {u} and there is an edge 
between S!^ and if and only if v is authorized for all steps in S!^. Therefore can be 

constructed in polynomial time, and a matching saturating can be found in polynomial time 
if one exists. By Lemma [5l we can use graphs of the form Gsq.u~i to construct graphs of the form 
Gsyv~i-'^ ■ Thus, in polynomial time (for fixed r) we can decide whether there exists an authorized 
partial plan 7ro,y : Sy —?> v'^° such that Pq'\so is a ^^q'-pattern for TTg^y for each q' >0. As Sy = S 
and = [/, this lets us decide whether there exists a complete, valid plan tt corresponding to an 
eligible joint pattern p. 

6.3 The Algorithm and Running Time 

The algorithm can now be constructed very similarly as in Section 0 We begin by defining an empty 
partial joint pattern p = (0^,..., 0^'), then as in Algorithm [2] we construct a recursive backtracking 
algorithm to complete p into a complete joint pattern (where no entry is 0 ). 

This is done in a bottom-up manner. Let p' = {p'^-^, ■ ■ ■ ,pL^) be a partial joint pattern. If p' is 
complete, then we proceed to test realizability as above. Otherwise, let i < r be the largest integer 
such that p'^. is incomplete, and let j G [fc] be such that pL^U) = 0. Let k' = maxj/g[fc](/) -f 1, 
and let = {/ G [k] : p'r^.{j') = (If i = r, then we simply define Sij = {j}.) Then for 

every a G [k'] we perform the following procedure: fix p'^fj') = a for every j' G 5'^^; check if the 
resulting partial pattern is ineligible (i.e., if some constraint of Ci whose scope intersects Sij 
has become violated); and if not, make a recursive call with the resulting joint pattern p'. 

We claim that this is a correct algorithm, which enumerates joint patterns which are consistent 
by the specification of the set Sij , and which furthermore enumerates only distinct nested partitions 
thanks to the choice of k'. 

Theorem 3. WSP with nested class-independent constraints in r levels and with k steps is FPT 
with a running time o/ 

Proof. Clearly, since eligibility and authorization of every proposed joint pattern is verified explicitly, 
the algorithm gives no false positives, i.e., it never reports the existence of a valid plan for an 
unsatisfiable instance. The opposite also holds: Assume that the instance allows for a valid plan tt. 
Then at every recursion point, corresponding to the specification of a value p'.^.(j), there is exactly 
one value of a consistent with tt (either fe' = 1 in which case there is no choice; or pr^^ places Sj 
in the same equivalence class as some previously specified step s'; or Sj must be placed in a new 
equivalence class and we let a = fc'). It is also clear that this recursive path is not aborted. Hence 
the process results in a complete joint pattern p corresponding to tt, which is eligible by assumption, 
and for which some authorized complete plan tt' is subsequently computed. 

To bound the running time, we argue very similarly to show that the number of leaves is bounded 
by the number of distinct nested partitions. Clearly, for an upper bound on the running time we 
may assume that no recursive branch is aborted (i.e., every possible plan is eligible). Then we find 
as above that for every nested partition V, we can trace exactly one path from the root of the 
calling tree to a leaf, where at every point there is exactly one value pL (j) = o, that is consistent 
with V. We also find that every leaf of the calling tree, corresponding to a complete joint pattern p, 
corresponds to only exactly one nested partition. Hence Theorem [2] bounds the number of leaves of 
the calling tree by (r-f = 2 ('=-biog(r+i)+(fc-i)iogfc ^ Q*(^ 2 '^iogar+i)k)y total running 

time is bounded by a polynomial factor times this number; hence the result follows. □ 
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Finally, we note that for modest values of r, specifically r = then this bound can be written 
as j overhead due to r is not “visible” in the exponent until r = . 

Recently, it was shown that (under a standard complexity assumption) even the basic case of 
WSP with only UI constraints admits no algorithm with a running time of for any 

e > 0 [12]. Hence for cases where r = k°^^\ the bound in Theorem [3| matches the lower bound (up 
to lower-order terms in the exponent). 


7 Algorithm Implementation and Computational Experiments 

There can be a huge difference between an algorithm in principle and its actual implementation as 
a computer code. For example, see EJUSj. We have implemented the new pattern-backtracking 
FPT algorithm and a reduction to the pseudo-Boolean satisfiability (PB SAT) problem in C-I-+, 
using SAT4J [T2] as a pseudo-Boolean SAT solver. Reductions from WSP constraints to PB ones 
were done similarly to those in 13 [Tj [13]. Our FPT algorithm extends the pattern-backtracking 
framework of |13j in a nontrivial way; see below. 

In this section we first describe some tweaks and heuristics used by the algorithm (with no known 
impact on its theoretical performance), then we describe a series of experiments that we ran to test 
the performance of our FPT algorithm against that of SAT4J. Due to the difficulty of acquiring 
real-world workflow instances, we generate and use synthetic data to test our new FPT algorithm 
and reduction to the PB SAT problem (as in similar experimental studies [21 [13 [H])- All our 
experiments use a MacBook Pro computer having a 2.6 GHz Intel Core i5 processor, 8 GB 1600 
MHz DDRS RAM and running Mac OS X 10.9.5. 

We generate a number of random WSP instances using not-equals (i.e, constraints of the form 
(s,s',^)), equivalence and non-equivalence constraints (i.e., constraints of the types and 

(s,s', 9 ^)), and at-most constraints. An at-most constraint is a UI constraint that restricts the 
number of users that may be involved in the execution of a set of steps. It is, therefore, a form of 
cardinality constraint and imposes a loose form of “need-to-know” constraint on the execution of 
a workflow instance, which can be important in certain business processes. An at-most constraint 
may be represented as a tuple (t, Q, ^), where Q C S', 1 ^ t ^ [Q], and is satisfied by any plan that 
allocates no more than t users in total to the steps in Q. In all our at-most constraints t = 3 and 
IQI = 5 as in [Zl[I3. 

7.1 Further Implementation Details 

The FPT algorithm and pattern generation of |7] have to assume a fixed ordering si,...,Sfe of 
steps in S, whereas the pattern-backtracking framework we use allows us to consider the steps as 
arbitrarily permuted and to browse the search space of patterns more efficiently. Our algorithm 
uses a heuristic to decide which zero-valued coordinate Xi (when is constructed) or yi (when p,^ 
is constructed) should be considered next. The heuristic simply chooses a zero-valued coordinate of 
maximum weight, but the way to compute weights of zero-valued coordinates depends on the type 
of constraints in the WSP instance. 

For the types of constraints used in our computational experiments, the weights are computed 
as follows: the weight of Xi is the total number of steps involved in user-independent constraints 
containing s^, and the weight of yi is the number of non-equivalence constraints (s, s', 9 ^) containing 
Si plus ten times the number of equivalence constraints (s,s^,~) constraining Si. The intuition 
behind this is as follows. For user-independent constraints, a step involved in user-independent 
constraints containing the largest number of steps in total reduces the pattern search space more 
effectively. Similarly, for class-independence constraints, a step involved in a larger number of 
constraints reduces the search space more effectively, with equivalence constraints having a much 
stronger influence on the search space reduction. In other words, we choose a “more constrained” 
step in each case hrst. 

The procedure Realizable{W, p), used to test realizability by finding matchings covering one 
partite set of the bipartite graph, uses a modihed version of the Hungarian algorithm and data 
structures from m in combination with some simple speed-ups and Proposition 1 of m- 
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Table 1: Parameters used in our experiments 


Parameter 

Values 

Number of steps fc 

20,25,30 

Number of users n 

lOfc 

Number of user equivalence classes r 

2fc 


fc = 20 

20,25 

Number of constraints (s, s', 

fc = 25 

25,30 


fc = 30 

30,35 


fc = 20 

0 

Number of constraints (s, s', ~) 

fc = 25 

1 


fc = 30 

2 


O 

II 

10,15,20,25,30 

Number of constraints (s, s', 9 ^') 

fc = 25 

15,20,25,30,35 


fc = 30 

20,25,30,35,40 


fc = 20 

10,15,20,25,30,35,40 

Number of at-most constraints 

fc = 25 

15,20,25,30,35,40,45 


fc = 30 

20,25,30,35,40,45,50 


7.2 Experimental Parameters and Instance Generation 

We summarize the parameters we use for our experiments in Table [I] Values of fc, n and r were 
chosen that seemed appropriate for real-world workflow specifications. The values of the other 
parameters were determined by preliminary experiments designed to identify “challenging” instances 
of WSP: that is, instances that were neither very lightly constrained nor very tightly constrained. 
Informally, it is relatively easy to determine that lightly constrained instances are satisfiable and 
that tighly constrained instances are unsatisfiable. Thus the instances we use in our experiments 
are (very approximately) equally likely to be satisfiable or unsatisfiable. In particular, by varying 
the numbers of at-most constraints and constraints of the form (s, s', 'S'), we are able to generate a 
set of instances with the desired characteristics (as shown by the results in Table [2]). 

A constraint (s,s','S') implies the existence of a constraint (s, s',yf), so we do not vary the 
number of not-equals a great deal (in contrast to existing work in the literature m)- Informally, a 
constraint (s, s', reduces the difficulty of finding a valid plan. Thus, given our desire to investigate 
challenging instances, we do not use very many of these constraints. 

All the constraints, authorizations, and equivalence classes of users are generated for each in¬ 
stance separately, uniformly at random. The random generation of authorizations, not-equals, and 
at-most constraints uses existing techniques [7] . The generation of equivalence and non-equivalence 
constraints has to be controlled to ensure that an instance is not trivially unsatisfiable. In particular, 
we must discard a constraint of the form (s, s', if we have already generated a constraint of the 
form (s,s',^). The equivalence classes of the user set are generated by enumerating the user set 
and then splitting the list into contiguous sublists. The number of elements in each sublist varies 
between 3 and 7 (chosen uniformly at random and adjusted, where necessary, so that the total 
number of members in the r sub-lists is n). 

7.3 Results and Evaluation 

We adopt the following labelling convention for our test instances: a.b.c.d denotes an instance with 
a not-equals constraints, b at-most constraints, c equivalence constraints, and d non-equivalence 
constraints (as used in the first and fourth columns of Tabled for instances with fc = 25 and fc = 30, 
respectively). In our experiments we compare the run-times and outcomes of SAT4J (having reduced 
the WSP instance to a PB SAT problem instance) and our FPT algorithm, which we will call 
PBA4CI (pattern-based algorithm for class-independent constraints). Table [2] shows some detailed 
results of our experiments (the results for fc = 20 were excluded for reasons of space). We record 
whether an instance is solved, indicating a satisfiable instance with a ‘Y’ and an unsatisfiable instance 
with a ‘N’; instances that were not solved are indicated by a question mark. PBA4CI reaches a 
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Table 2: Results for fc = 25 and 30. Time in seconds. Y,N,? mean satisfied, unsatisfied, unsolved. 


Instance 

SAT4J 

PBA4CI 

Instance 

SAT4J 

PBA4CI 

k = 25 

o 

CO 

II 

25.15.1.15 


2.62 


2.464 

30.20.2.20 


2.72 


50.804 

25.20.1.15 

Y 

22.38 

Y 

0.010 

30.25.2.20 

Y 

271.78 

Y 

2.323 

25.25.1.15 

Y 

11.03 

Y 

0.010 

30.30.2.20 

? 

2,141.60 

Y 

2.946 

25.30.1.15 

Y 

35.54 

Y 

0.040 

30.35.2.20 

? 

2,250.02 

N 

0.412 

25.35.1.15 

N 

1,439.94 

N 

0.075 

30.40.2.20 

? 

1,942.57 

N 

2.238 

25.40.1.15 

? 

2,088.06 

N 

0.033 

30.45.2.20 

? 

2,198.02 

N 

2.171 

25.45.1.15 

Y 

113.37 

Y 

0.022 

30.50.2.20 

? 

2,580.81 

N 

0.494 

25.15.1.20 

Y 

1.52 

Y 

111.799 

30.20.2.25 

Y 

4.18 

Y 

237.604 

25.20.1.20 

Y 

7.77 

Y 

0.024 

30.25.2.25 

Y 

76.41 

Y 

0.789 

25.25.1.20 

Y 

297.39 

Y 

0.065 

30.30.2.25 

? 

2,288.07 

N 

0.401 

25.30.1.20 

? 

2,273.56 

N 

0.033 

30.35.2.25 

Y 

1,364.66 

Y 

0.238 

25.35.1.20 

Y 

48.29 

Y 

0.067 

30.40.2.25 

? 

2,383.92 

N 

0.775 

25.40.1.20 

N 

105.48 

N 

0.045 

30.45.2.25 

? 

1,743.87 

N 

0.394 

25.45.1.20 

? 

2,105.61 

N 

0.031 

30.50.2.25 

? 

2,385.39 

N 

0.218 

25.15.1.25 

Y 

14.40 

Y 

0.014 

30.20.2.30 

Y 

35.40 

Y 

0.071 

25.20.1.25 

Y 

80.25 

Y 

0.021 

30.25.2.30 

Y 

9.37 

Y 

1.063 

25.25.1.25 

? 

2,284.78 

N 

0.023 

30.30.2.30 

N 

1,632.51 

N 

0.347 

25.30.1.25 

N 

442.91 

N 

0.237 

30.35.2.30 

Y 

803.50 

Y 

0.029 

25.35.1.25 

? 

2,188.01 

N 

0.060 

30.40.2.30 

? 

2,022.71 

N 

0.981 

25.40.1.25 

? 

2,293.77 

N 

0.043 

30.45.2.30 

? 

1,902.84 

N 

1.501 

25.45.1.25 

? 

2,041.02 

N 

0.144 

30.50.2.30 

? 

1,730.93 

N 

0.467 

25.15.1.30 

Y 

3.22 

Y 

0.011 

30.20.2.35 

Y 

24.12 

Y 

0.453 

25.20.1.30 

Y 

240.59 

Y 

0.014 

30.25.2.35 

Y 

456.51 

Y 

0.085 

25.25.1.30 

Y 

66.74 

Y 

0.050 

30.30.2.35 

N 

1,817.76 

N 

1.088 

25.30.1.30 

? 

2,301.75 

N 

0.088 

30.35.2.35 

? 

1,949.77 

N 

0.111 

25.35.1.30 

N 

1,562.30 

N 

0.023 

30.40.2.35 

? 

2,115.32 

N 

0.551 

25.40.1.30 

? 

2,332.07 

N 

0.127 

30.45.2.35 

? 

1,535.57 

N 

0.118 

25.45.1.30 

N 

950.25 

N 

0.040 

30.50.2.35 

? 

1,647.41 

N 

0.454 

25.15.1.35 

Y 

10.57 

Y 

0.014 

30.20.2.40 

V 

3,088.54 

N 

0.729 

25.20.1.35 

N 

218.70 

N 

0.166 

30.25.2.40 

? 

1,746.81 

Y 

0.542 

25.25.1.35 

Y 

37.87 

Y 

0.012 

30.30.2.40 

? 

2,350.01 

Y 

0.949 

25.30.1.35 

? 

2,421.30 

N 

0.054 

30.35.2.40 

? 

1,857.27 

N 

0.576 

25.35.1.35 

N 

1,524.68 

N 

0.022 

30.40.2.40 

? 

1,938.63 

N 

0.221 

25.40.1.35 

N 

1,001.67 

N 

0.028 

30.45.2.40 

? 

2,159.50 

N 

0.209 

25.45.1.35 

? 

1,974.05 

N 

0.034 

30.50.2.40 

? 

1,815.15 

N 

0.337 


conclusive decision (Y or N) for every test instance, whereas SAT4J fails to reach such a decision 
for some instances, typically because the machine runs out of memory. The table also records the 
time (in seconds) taken for the algorithms to run on each instance. We would expect that the time 
taken to solve an instance would depend on whether the instance is satishable or not, and this is 
confirmed by the results in the table. 

In total, the experiments cover 210 randomly generated instances, 70 instances for each number 
of steps, k € {20,25,30}. PBA4CI successfully solves all of the instances, while SAT4J fails on 
almost 40% of the instances (mostly unsatisfiable ones). In terms of CPU time, SAT4J is more 
efficient only on 5 instances (2.4%) in total; 1 for 20 steps, 1 for 25 steps, and 3 for 30 steps, all 
of which are lightly constrained. For these instances PBA4CI has to generate a large number of 
patterns in the search space before it finds a solution. 

Overall, PBA4CI is clearly more effective and efficient than SAT4J on these instances. Table [3] 
shows the summary statistics for all the experiments. The numbers of unsolved instances by SAT4J 
are indicated in parenthesis. For average CPU time values, we assume that the running time on 
the unsolved instances can be considered as a lower bound on the time required to solve them. 
Therefore average time values in Table[3]take into consideration unsolved instances for SAT4J: they 
are estimated lower bounds on its average time performance. As the number of steps k increases. 
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Table 3: Summary statistics for k G {20,25,30} 



SAT4J 

PBA4C1 

k 

Result 

Count 

Mean Time 

Count 

Mean Time 

20 

Y 

32 

27.25 

32 

0.11 


N 

29 (9) 

1,538.65 

38 

0.01 


Total 

-BTW 

847.72 

70 

Oils' 

25 

Y 

28 

61.86 

28 

4.12 


N 

15(27) 

1,719.31 

42 

0.07 


Total 

43 (27) 

1,056.33 

70 

1.69 

30 

Y 

18(4) 

693.53 

22 

14.80 


N 

6(42) 

2,003.76 

48 

0.84 


Total 

24 (46) 

1,591.97 

70 

5.23 


SAT4J fails more frequently and is unable to reach a conclusive decision for more than 65% of 
instances when k = 30, some of which are satisfiable. However, SAT4J is clearly more efficient (and 
effective) on satisfiable instances than on the unsatisfiable ones, while for PBA4CI the converse is 
true. This can be explained by very different search strategies used by the solvers. 


8 Conclusion 

We have introduced the concept of a class-independent constraint, which significantly generalizes 
user-independent constraints and substantially extends the range of real-world business require¬ 
ments that can be modelled. We have designed an FPT algorithm for WSP with class-independent 
constraints. Our computational results demonstrate that our FPT algorithm is useful in practice 
for WSP with class-independent constraints, in particular for WSP instances that are too hard for 
SAT4J. 

We also outlined a generalization of our approach, and gave a more careful analysis of the 
worst-case complexity compared to the previous version of this paper [S]. 

Acknowledgement. This research was partially supported by an EPSRC grant EP/K005162/1. 
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